Considerations in Designing Data Governance
The phrase ‘data is the new oil’ has now become a familiar phrase. While it has been in use for almost a decade, its implications are now clear for all to see as data informs more and more of government and civil society decision-making as well as businesses.
Now more than ever, conversations around data policies are gaining relevance in the mainstream. Recognising the all-pervasive nature of data, governments and global institutions have come up with various data policies.
The General Data Protection Regulation (GDPR) is one of the most commonly known laws in the data policy area. GDPR was drafted and passed by the European Union (EU) and is known for its strict regulation around data privacy and security. In India, there are policies such as the National Data Sharing and Accessibility Policy (NDSAP). In February 2022, the Ministry for Electronics & Information Technology (MeitY) published the Draft India Data Accessibility & Use Policy, 2022.
Here is an introductory framework of a few commonly known concepts in the data governance field. They could serve as important considerations in framing and/or analysing data policies in the public sector.
- Data Residency refers to the processing and storing of public data within a country’s border. The primary focus of data residency is to ensure that data is secure and not in the control of an external actor. Designing for appropriate data residency requirements is critical in any data policy. For example, GDPR requires data to be stored inside the EU and can be transferred outside only if the other entity (country or institution) has an equivalent privacy protection regulation. Analysing GDPR through the lens of data residency gives a sense of the EU’s approach towards data protection and security. Different countries and institutions may have different requirements depending on the goals of their policy.
- Data Minimisation is the process of collecting limited data that is required for a specific purpose. In a practical sense, an entity cannot collect data beyond what is required. For example, in delivering a health service, data about a person’s religion or caste may not be relevant. However, in most policies, data minimisation is stated only as a principle. Unlike data residency, there is no straightforward requirement that needs to be followed. Hence, mechanisms around compliance with the principle become vital and should be addressed along with the data minimisation principle in the policies.
- Data Retention is the time period for which data needs to be stored before it is deleted. For example, the California Consumer Privacy Act (CCPA), another commonly discussed law in consumer rights and the private sector, mentions that data should be stored only for the period it is required. However, it’s important to address not only how long data can be stored but also for how long data can be made available to third parties before it is anonymised or requires consent renewal.
In addition to the three concepts mentioned above, aspects focusing on how can data enhance the autonomy of users, be non-discriminatory and consent-based could be key considerations in designing or evaluating data governance policies.
It may help to ask: How is the policy going to address risks such as an entity having to involuntarily share data because of existing hierarchical differences in society? How is the policy defining ‘informed consent’ and is it equitable? Answering such questions can facilitate inclusive and secure data policies and, at the same time, pave the way for empowered communities in the digital age. Empowered citizens could become active participants in the data narrative and exercise their agency to see and solve their own problems.